Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 09:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe
-
Size
52KB
-
MD5
283def5a1ca20371277e5e22810b8808
-
SHA1
0b25f42f4e015d38d80fc7dfced6c9549b30dd04
-
SHA256
b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61
-
SHA512
501c3ef7f54d34fd341824d68fe0272b292c7c0e54d8bc1bf2de680c50266ca3d6c0fce9b003de0659feb7215a5c5405002e8111d294b4400966257c3aaba4a8
-
SSDEEP
768:kJ3KO8PO1T7gAk5D3Z+NT6wHHzpci6KMsMUnT4Hshp/1H5F/s3gMABvKWe:kNKO8P0upgH9CdiTE6j0gMAdKZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieajkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikifegp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmeiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dacpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihniaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkndhabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncbdomg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcmap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dicnkdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegqpacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qackpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajcdjca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfefgkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmicfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmojkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqpecma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqeqqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfpabkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmnjkjd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2268 Ppfomk32.exe 820 Pcdkif32.exe 2768 Pecgea32.exe 2732 Pnjofo32.exe 2712 Pphkbj32.exe 2812 Pcghof32.exe 2292 Peedka32.exe 2488 Pomhcg32.exe 2408 Pegqpacp.exe 628 Pjcmap32.exe 1796 Pkdihhag.exe 1384 Phhjblpa.exe 2904 Pldebkhj.exe 2436 Qgmfchei.exe 1848 Qododfek.exe 468 Qackpado.exe 1076 Qhmcmk32.exe 2952 Adcdbl32.exe 1392 Agbpnh32.exe 2568 Ajqljc32.exe 776 Aqjdgmgd.exe 300 Aciqcifh.exe 592 Afgmodel.exe 2092 Aopahjll.exe 1940 Aggiigmn.exe 2236 Ajeeeblb.exe 2828 Amcbankf.exe 2760 Aflfjc32.exe 2708 Ajgbkbjp.exe 2404 Aijbfo32.exe 2644 Akiobk32.exe 1884 Aodkci32.exe 316 Bcpgdhpp.exe 1692 Bmhkmm32.exe 1700 Bkklhjnk.exe 2908 Bofgii32.exe 1908 Bfqpecma.exe 2476 Becpap32.exe 1512 Biolanld.exe 1952 Bgblmk32.exe 1532 Boidnh32.exe 2948 Bnldjekl.exe 1672 Bbgqjdce.exe 2340 Bajqfq32.exe 1928 Befmfpbi.exe 2416 Biaign32.exe 2064 Bgdibkam.exe 2744 Bjbeofpp.exe 1332 Bnnaoe32.exe 2764 Bammlq32.exe 3012 Bckjhl32.exe 3024 Bgffhkoj.exe 2572 Bjebdfnn.exe 840 Bmcnqama.exe 2876 Bejfao32.exe 2276 Bcmfmlen.exe 2240 Bflbigdb.exe 1000 Cnckjddd.exe 2448 Cmfkfa32.exe 536 Caaggpdh.exe 1612 Cpdgbm32.exe 1836 Cgkocj32.exe 2172 Cjjkpe32.exe 2280 Cillkbac.exe -
Loads dropped DLL 64 IoCs
pid Process 348 b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe 348 b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe 2268 Ppfomk32.exe 2268 Ppfomk32.exe 820 Pcdkif32.exe 820 Pcdkif32.exe 2768 Pecgea32.exe 2768 Pecgea32.exe 2732 Pnjofo32.exe 2732 Pnjofo32.exe 2712 Pphkbj32.exe 2712 Pphkbj32.exe 2812 Pcghof32.exe 2812 Pcghof32.exe 2292 Peedka32.exe 2292 Peedka32.exe 2488 Pomhcg32.exe 2488 Pomhcg32.exe 2408 Pegqpacp.exe 2408 Pegqpacp.exe 628 Pjcmap32.exe 628 Pjcmap32.exe 1796 Pkdihhag.exe 1796 Pkdihhag.exe 1384 Phhjblpa.exe 1384 Phhjblpa.exe 2904 Pldebkhj.exe 2904 Pldebkhj.exe 2436 Qgmfchei.exe 2436 Qgmfchei.exe 1848 Qododfek.exe 1848 Qododfek.exe 468 Qackpado.exe 468 Qackpado.exe 1076 Qhmcmk32.exe 1076 Qhmcmk32.exe 2952 Adcdbl32.exe 2952 Adcdbl32.exe 1392 Agbpnh32.exe 1392 Agbpnh32.exe 2568 Ajqljc32.exe 2568 Ajqljc32.exe 776 Aqjdgmgd.exe 776 Aqjdgmgd.exe 300 Aciqcifh.exe 300 Aciqcifh.exe 592 Afgmodel.exe 592 Afgmodel.exe 2092 Aopahjll.exe 2092 Aopahjll.exe 1940 Aggiigmn.exe 1940 Aggiigmn.exe 2236 Ajeeeblb.exe 2236 Ajeeeblb.exe 2828 Amcbankf.exe 2828 Amcbankf.exe 2760 Aflfjc32.exe 2760 Aflfjc32.exe 2708 Ajgbkbjp.exe 2708 Ajgbkbjp.exe 2404 Aijbfo32.exe 2404 Aijbfo32.exe 2644 Akiobk32.exe 2644 Akiobk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oplelf32.exe Olpilg32.exe File created C:\Windows\SysWOW64\Cmfaflol.dll Qkfocaki.exe File opened for modification C:\Windows\SysWOW64\Pnjofo32.exe Pecgea32.exe File created C:\Windows\SysWOW64\Ckboie32.dll Qackpado.exe File created C:\Windows\SysWOW64\Cpnidcen.dll Cbgmigeq.exe File created C:\Windows\SysWOW64\Qknbpmpk.dll Chfbgn32.exe File created C:\Windows\SysWOW64\Qffhlolm.dll Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gjjmijme.exe File created C:\Windows\SysWOW64\Hpphhp32.exe Hldlga32.exe File created C:\Windows\SysWOW64\Ippdgc32.exe Imahkg32.exe File created C:\Windows\SysWOW64\Damocb32.dll Pkdihhag.exe File created C:\Windows\SysWOW64\Dmdgpc32.dll Bbgqjdce.exe File opened for modification C:\Windows\SysWOW64\Cnckjddd.exe Bflbigdb.exe File opened for modification C:\Windows\SysWOW64\Khkbbc32.exe Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Kgnbnpkp.exe Khkbbc32.exe File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe Nfdddm32.exe File created C:\Windows\SysWOW64\Fqliblhd.dll Olpilg32.exe File created C:\Windows\SysWOW64\Alnalh32.exe Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Bjbeofpp.exe Bgdibkam.exe File created C:\Windows\SysWOW64\Ddblgn32.exe Deollamj.exe File created C:\Windows\SysWOW64\Olnldn32.dll Hihlqeib.exe File created C:\Windows\SysWOW64\Bceibfgj.exe Bdcifi32.exe File created C:\Windows\SysWOW64\Hiablm32.dll Bqlfaj32.exe File created C:\Windows\SysWOW64\Ijppackl.dll Cmjdaqgi.exe File opened for modification C:\Windows\SysWOW64\Gjjmijme.exe Ggkqmoma.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Alppmhnm.dll Abmgjo32.exe File created C:\Windows\SysWOW64\Pdkiofep.dll Bjmeiq32.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Dogpdg32.exe Dklddhka.exe File created C:\Windows\SysWOW64\Ecploipa.exe Epbpbnan.exe File created C:\Windows\SysWOW64\Eogmcjef.exe Elipgofb.exe File created C:\Windows\SysWOW64\Ihdpbq32.exe Idicbbpi.exe File created C:\Windows\SysWOW64\Pgddfe32.dll Lnhgim32.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Piicpk32.exe File created C:\Windows\SysWOW64\Pepcelel.exe Pbagipfi.exe File created C:\Windows\SysWOW64\Lkknbejg.dll Bgoime32.exe File created C:\Windows\SysWOW64\Eaeipfei.exe Eogmcjef.exe File opened for modification C:\Windows\SysWOW64\Fogibnha.exe Flhmfbim.exe File opened for modification C:\Windows\SysWOW64\Mikjpiim.exe Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Neiaeiii.exe File created C:\Windows\SysWOW64\Cmfkfa32.exe Cnckjddd.exe File created C:\Windows\SysWOW64\Aaiioe32.dll Edibhmml.exe File opened for modification C:\Windows\SysWOW64\Gdhkfd32.exe Gfejjgli.exe File created C:\Windows\SysWOW64\Pafdjmkq.exe Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe Bqgmfkhg.exe File opened for modification C:\Windows\SysWOW64\Pecgea32.exe Pcdkif32.exe File created C:\Windows\SysWOW64\Icehdl32.dll Kadfkhkf.exe File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Ehpalp32.exe Eddeladm.exe File created C:\Windows\SysWOW64\Gncldi32.exe Goplilpf.exe File opened for modification C:\Windows\SysWOW64\Gqahqd32.exe Gncldi32.exe File created C:\Windows\SysWOW64\Jmdepg32.exe Ijehdl32.exe File opened for modification C:\Windows\SysWOW64\Knkgpi32.exe Kjokokha.exe File opened for modification C:\Windows\SysWOW64\Pkaehb32.exe Pgfjhcge.exe File created C:\Windows\SysWOW64\Idkhmgco.dll Pphkbj32.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Qhmcmk32.exe File opened for modification C:\Windows\SysWOW64\Koaqcn32.exe Kkeecogo.exe File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Phcilf32.exe File opened for modification C:\Windows\SysWOW64\Pcdkif32.exe Ppfomk32.exe File created C:\Windows\SysWOW64\Qododfek.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Mfnnbf32.dll Fqalaa32.exe File opened for modification C:\Windows\SysWOW64\Knfndjdp.exe Kocmim32.exe File created C:\Windows\SysWOW64\Jeoggjip.dll Lhpglecl.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5484 5276 WerFault.exe 564 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnckjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loefnpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddblgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgnnlle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bammlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmijme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqklqhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehlkhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecploipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cillkbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgnkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkklhjnk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbefdnjd.dll" Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqcglmgd.dll" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giackg32.dll" Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifppipg.dll" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkephn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olnldn32.dll" Hihlqeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddgejcp.dll" Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafalh32.dll" Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokeion.dll" Iakgefqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhkej32.dll" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Apedah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achjibcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aciqcifh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkgen32.dll" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfekkflj.dll" Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlmgo32.dll" Mikjpiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcjcme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogibnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcakjoj.dll" Nibqqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqpecma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnldjekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdaemiaj.dll" Cfpldf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 348 wrote to memory of 2268 348 b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe 30 PID 348 wrote to memory of 2268 348 b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe 30 PID 348 wrote to memory of 2268 348 b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe 30 PID 348 wrote to memory of 2268 348 b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe 30 PID 2268 wrote to memory of 820 2268 Ppfomk32.exe 31 PID 2268 wrote to memory of 820 2268 Ppfomk32.exe 31 PID 2268 wrote to memory of 820 2268 Ppfomk32.exe 31 PID 2268 wrote to memory of 820 2268 Ppfomk32.exe 31 PID 820 wrote to memory of 2768 820 Pcdkif32.exe 32 PID 820 wrote to memory of 2768 820 Pcdkif32.exe 32 PID 820 wrote to memory of 2768 820 Pcdkif32.exe 32 PID 820 wrote to memory of 2768 820 Pcdkif32.exe 32 PID 2768 wrote to memory of 2732 2768 Pecgea32.exe 33 PID 2768 wrote to memory of 2732 2768 Pecgea32.exe 33 PID 2768 wrote to memory of 2732 2768 Pecgea32.exe 33 PID 2768 wrote to memory of 2732 2768 Pecgea32.exe 33 PID 2732 wrote to memory of 2712 2732 Pnjofo32.exe 34 PID 2732 wrote to memory of 2712 2732 Pnjofo32.exe 34 PID 2732 wrote to memory of 2712 2732 Pnjofo32.exe 34 PID 2732 wrote to memory of 2712 2732 Pnjofo32.exe 34 PID 2712 wrote to memory of 2812 2712 Pphkbj32.exe 35 PID 2712 wrote to memory of 2812 2712 Pphkbj32.exe 35 PID 2712 wrote to memory of 2812 2712 Pphkbj32.exe 35 PID 2712 wrote to memory of 2812 2712 Pphkbj32.exe 35 PID 2812 wrote to memory of 2292 2812 Pcghof32.exe 36 PID 2812 wrote to memory of 2292 2812 Pcghof32.exe 36 PID 2812 wrote to memory of 2292 2812 Pcghof32.exe 36 PID 2812 wrote to memory of 2292 2812 Pcghof32.exe 36 PID 2292 wrote to memory of 2488 2292 Peedka32.exe 37 PID 2292 wrote to memory of 2488 2292 Peedka32.exe 37 PID 2292 wrote to memory of 2488 2292 Peedka32.exe 37 PID 2292 wrote to memory of 2488 2292 Peedka32.exe 37 PID 2488 wrote to memory of 2408 2488 Pomhcg32.exe 38 PID 2488 wrote to memory of 2408 2488 Pomhcg32.exe 38 PID 2488 wrote to memory of 2408 2488 Pomhcg32.exe 38 PID 2488 wrote to memory of 2408 2488 Pomhcg32.exe 38 PID 2408 wrote to memory of 628 2408 Pegqpacp.exe 39 PID 2408 wrote to memory of 628 2408 Pegqpacp.exe 39 PID 2408 wrote to memory of 628 2408 Pegqpacp.exe 39 PID 2408 wrote to memory of 628 2408 Pegqpacp.exe 39 PID 628 wrote to memory of 1796 628 Pjcmap32.exe 40 PID 628 wrote to memory of 1796 628 Pjcmap32.exe 40 PID 628 wrote to memory of 1796 628 Pjcmap32.exe 40 PID 628 wrote to memory of 1796 628 Pjcmap32.exe 40 PID 1796 wrote to memory of 1384 1796 Pkdihhag.exe 41 PID 1796 wrote to memory of 1384 1796 Pkdihhag.exe 41 PID 1796 wrote to memory of 1384 1796 Pkdihhag.exe 41 PID 1796 wrote to memory of 1384 1796 Pkdihhag.exe 41 PID 1384 wrote to memory of 2904 1384 Phhjblpa.exe 42 PID 1384 wrote to memory of 2904 1384 Phhjblpa.exe 42 PID 1384 wrote to memory of 2904 1384 Phhjblpa.exe 42 PID 1384 wrote to memory of 2904 1384 Phhjblpa.exe 42 PID 2904 wrote to memory of 2436 2904 Pldebkhj.exe 43 PID 2904 wrote to memory of 2436 2904 Pldebkhj.exe 43 PID 2904 wrote to memory of 2436 2904 Pldebkhj.exe 43 PID 2904 wrote to memory of 2436 2904 Pldebkhj.exe 43 PID 2436 wrote to memory of 1848 2436 Qgmfchei.exe 44 PID 2436 wrote to memory of 1848 2436 Qgmfchei.exe 44 PID 2436 wrote to memory of 1848 2436 Qgmfchei.exe 44 PID 2436 wrote to memory of 1848 2436 Qgmfchei.exe 44 PID 1848 wrote to memory of 468 1848 Qododfek.exe 45 PID 1848 wrote to memory of 468 1848 Qododfek.exe 45 PID 1848 wrote to memory of 468 1848 Qododfek.exe 45 PID 1848 wrote to memory of 468 1848 Qododfek.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe"C:\Users\Admin\AppData\Local\Temp\b590d7e3eeeca479e0306736e4e3d1ef9a0b2ad72d533a555781dfac4e80ce61.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe33⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe34⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe35⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe39⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe40⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe42⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe46⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe47⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe49⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe50⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe52⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe55⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe56⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe57⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe60⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe61⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe63⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe64⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe67⤵PID:2496
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe68⤵PID:1680
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe69⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe70⤵PID:2600
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe71⤵PID:1472
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe72⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe73⤵PID:1880
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe74⤵PID:2992
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe75⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe76⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe77⤵PID:2020
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe78⤵PID:1708
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe79⤵PID:844
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe80⤵PID:800
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe81⤵PID:1092
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe82⤵PID:1924
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe83⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe84⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe85⤵PID:2612
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe86⤵PID:1620
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe87⤵PID:2656
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe89⤵PID:1140
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe90⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe91⤵PID:880
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe92⤵PID:660
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe93⤵PID:1608
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe94⤵PID:1632
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe95⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe96⤵PID:2076
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe98⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe99⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe100⤵PID:1736
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe101⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe102⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe103⤵PID:2472
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe104⤵PID:1124
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe105⤵PID:3064
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe106⤵PID:1168
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe107⤵PID:2244
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe108⤵PID:2184
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe109⤵PID:2632
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe110⤵PID:2548
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe112⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:396 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe115⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe116⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe117⤵PID:1944
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe118⤵PID:2672
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1428 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe120⤵PID:1872
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe121⤵PID:1656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-